addslashes, mysql_real_escape_string and mysql_escape_string introduction

Home

Backend Development

PHP Tutorial

addslashes, mysql_real_escape_string and mysql_escape_string introduction_PHP tutorial

Jul 13, 2016 pm 05:15 PM

escape mysql string introduce about and article Simple

This article will give you a brief introduction to some usages and differences of addslashes(), mysql_real_escape_string() and mysql_escape_string() in php. Friends who are interested can refer to it.

I really haven’t paid attention to this aspect before. When I was writing, I used a very simple function addslashes(). The function adds a backslash before the specified predefined characters.

These predefined characters are:

•Single quote (')
•Double quotes (")
•Backslash ()
•NULL

The code is as follows

代码如下

复制代码

<?php
function as_array(&$arr_r)
{
foreach ($arr_r as &$val) is_array($val) ? as_array($val):$val=addslashes($val);
unset($val);
}

as_array($_POST);
?>

Copy code

<?php

function as_array(&$arr_r)

{

foreach ($arr_r as &$val) is_array($val) ? as_array($val):$val=addslashes($val);

unset($val);

代码如下	复制代码
if (!get_magic_quotes_gpc()) { $lastname = addslashes($_POST[‘lastname’]); } else { $lastname = $_POST[‘lastname’]; }

}

as_array($_POST);

Although many domestic PHP programmers still rely on addslashes to prevent SQL injection, it is recommended that everyone strengthen checks to prevent SQL injection in Chinese. The problem with addslashes is that hackers can use 0xbf27 instead of single quotes, while addslashes only changes 0xbf27 to 0xbf5c27, which becomes a valid multi-byte character. 0xbf5c is still regarded as a single quote, so addslashes cannot successfully intercept.

Of course, addslashes is not useless. It is used for processing single-byte strings. For multi-byte characters, use mysql_real_escape_string.

In addition, for the example of get_magic_quotes_gpc in the php manual:

}

The code is as follows

Copy code

if (!get_magic_quotes_gpc()) {

$lastname = addslashes($_POST[‘lastname’]);

} else {

代码如下	复制代码
<?php function escape($str){ if(function_exists('mysql_escape_string')){ return mysql_escape_string($str); }elseif( function_exists(...real_escape...)){ //real_escape }else{ if(MAGIC_QUOTER ....判断){ return $str }else{ return addslashes($str); } } }

$lastname = $_POST[‘lastname’];

<🎜> <🎜> <🎜>It is best to check $_POST[’lastname’] when magic_quotes_gpc is already open. <🎜> <🎜> Let’s talk about the difference between the two functions mysql_real_escape_string and mysql_escape_string: <🎜> mysql_real_escape_string can only be used under (PHP 4 >= 4.3.0, PHP 5). mysql_escape_string (PHP 4 >= 4.0.3, PHP 5, Note: This method has been deprecated in PHP5.3 and is not recommended), <?php<🎜> // Description: Use array_map() to call mysql_real_escape_string to clean the array<🎜> // Organizing: http://www.bKjia.c0m<🎜> function mysqlClean($data)<🎜> {<🎜> return (is_array($data))?array_map('mysqlClean', $data):mysql_real_escape_string($data);<🎜> }<🎜> ?> The difference between the two is: mysql_real_escape_string takes into account the current character set of the connection, while mysql_escape_string does not. To summarize: PHP code

The code is as follows

Copy code

<?php function escape($str){ If(function_exists('mysql_escape_string')){ return mysql_escape_string($str); }elseif( function_exists(...real_escape...)){ //real_escape }else{ if(MAGIC_QUOTER....judgment){ return $str }else{ return addslashes($str); } } }

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn